[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys BEFV P41
Are you pinging the linksys box from the firewall or are you using machines behind the two as test points? If the latter, it sounds like a NAT problem. Your log should not show src+dst as the addresses of the firewalls. Did you double check your NAT rules to make sure that you have two rules that prevents natting between the local and remote nework objects? I am assuming that you are dealing with non-overlapping private network numbers of course. Just a guess, HTH. Steven McNutt, CCIE #6495, CCSE, MCSE President LightningCloud Technologies bus:cel:[email protected] -----Original Message----- From: Kinsey, Brian A. [mailto:[email protected]] Sent: Tuesday, May 21, 2002 10:49 AM To: [email protected] Subject: Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys BEFV P41 Yes, I have IPSec_cluster_nat = true for all my firewall objects and my Cluster Objects, but I still can't get the VPN to terminate on the VRRP address. I assume that this is what you were saying was "posted less than 2 weeks ago" as it is all I can find in the list archives or on Phoneboy. Any further help on this would be wonderful, BUT... My main problem, which I see no info in the archives or on Phoneboy about, is the first issue. Even when I terminate the VPN at the actual Firewall IP address (not the virtual IP), I cannot communicate across the tunnel. Both sides show the tunnel as active, but when I try to ping across, I get the following in my Checkpoint logs: Source = firewall external IP Destination = Linksys external IP Action = Drop Info = icmp-type 3 icmp-code 2 message_info ICMP packet out of state I can't find anything that tells me why I would be getting these Port Unreachables from my Checkpoint firewall, or why it would be out of state. -----Original Message----- From: Don [mailto:[email protected]] Sent: Thursday, May 16, 2002 3:15 PM To: [email protected] Subject: Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys BEFVP41 > I am trying to set up a VPN between my NG FP1 FW and a Linksys > BEFVP41. I see the key installs in my log, and the Linksys shows the > Status as Connected, but I cannot access machines across the tunnel. > When I try to ping from a machine behind the Linksys to a machine > inside my firewall, I get request timed out. In my firewall log, I see > the following: > > Source = firewall external IP > Destination = Linksys external IP > Action = Drop > Info = icmp-type 3 icmp-code 2 message_info ICMP packet out of state > > > Also, my firewalls are Nokias with VRRP (monitored circuit). If I > enter the > virtual external address of my firewalls into the Remote Security > Gateway field on the Linksys, I don't even get the key installs. I > have to enter the > actual IPs of one of the firewalls for it to get that far. Any ideas > as to why I can't terminate my VPNs to the virtual IP? ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|